1 Answer
1

The most important thing you need is a (good) random number generator. I've seen some cases where TANs where not randomly distributed and so in some kind guessable.

You just generate a list of TANs. The user can select one TAN for each transaction. This is one of the most unsafe variants of using TAN lists. The user can be tricked into some phishing site, enters user name, password and TAN. The attacker take them and uses it.

A better version are indexed TANs (iTAN). Every TAN gets some index number. When the user wants to finish some transaction the site asks for a TAN with a specific index number. When the user visits a phishing site and enters also username, password and TAN it is less likely that he enters the TAN which is needed by the next transaction. So this gives more security.

Mobile TANs (mTAN) is in my opinion the best way for TAN management. If the user wants to finish a transaction, a short message (SMS) is sent by his counterpart. He has to enter exactly this TAN. So if the user visits phishing pages he simply has no valid TANs anymore.

You should decide what kind of TAN you really need according to the security requirements you have. Besides from creating TANs you should have an eye on the distribution channel (snail mail, e-mail, sms etc.) of your TAN lists. If you choose an unsafe way this can also put the user to risk.